Cerberus Stalkerware Exploits Accessibility Features for Covert Surveillance
A sophisticated Android application named Cerberus Anti-theft has been operating undetected on the Google Play Store since October 4, 2023. Marketed as a legitimate anti-theft tool, this app clandestinely monitors users by leveraging Android’s accessibility features. Developed by LSDroid SRL, an Italian company, Cerberus is available via subscription for 5 euros per month.
Stealthy Surveillance Capabilities
Once installed, Cerberus operates covertly, capturing photos, tracking locations, recording audio, and even wiping devices without user consent. The app activates upon various triggers, such as device boot, screen unlock, network changes, app installations, and motion detection. For instance, if a user interacts with a notification on a locked screen, Cerberus can silently take a photo using the front camera within fifteen seconds, log the device’s location, and execute pre-configured commands—all without alerting the user.
Firebase Integration for Command Execution
Cerberus utilizes Firebase Cloud Messaging, a service owned by Google, to manage its command-and-control operations. This integration allows the app to receive remote commands like take a photo or wipe the device through Google’s servers. Five Firebase projects associated with the LSDroid developer account host these command channels and synchronize the operator dashboard with infected devices. Disabling these Firebase projects would effectively sever the connection between the stalkerware and its controllers.
Companion App Enhances Functionality
The companion application, Lock Screen Protector (`com.lsdroid.lsp`), extends Cerberus’s capabilities. By obtaining Android accessibility service permissions, it can read on-screen content and perform touch gestures, further compromising user privacy.
Historical Context and Detection Challenges
Cerberus has a history of evading detection. In 2018, it was removed from the Google Play Store under a policy unrelated to stalkerware. However, it reappeared under a different package name, continuing its operations. In 2020, Cerberus accounted for 52% of all stalkerware detections globally, making it the most detected stalkerware family that year.
Implications and Recommendations
The presence of such applications on official platforms underscores the need for enhanced scrutiny and user awareness. Users should be cautious when granting accessibility permissions and regularly review installed applications for any suspicious activity. Additionally, developers and platform operators must implement stricter policies to prevent the distribution of malicious software.
